How much is your stolen data worth on the dark web?

A new report reveals how much cyber criminals are willing to pay for stolen
data on the dark web

Ever wondered how much your stolen data could be worth? A new report reveals the market value of all the most common types of stolen data available for sale to criminals on the dark web.

The "Hidden Data Economy” report by Intel Security Group’s McAfee Labs draws on years of close work with law enforcement, and ongoing monitoring of online platforms, communities and marketplaces where stolen data is hidden and sold – such as Alphabay and Crypto Market.

The report provides examples of how different types of stolen data are being packaged, and offers an illustration of average prices for different types of data. A few examples include:

Average estimated price for stolen credit and debit cards: $5 to $30 in the US; $20 to $35 in the UK; $20 to $40 in Canada; $21 to $40 in Australia; and $25 to $45 in the European Union

Bank login credentials for a $2,200 balance bank account: $190

Bank login credentials plus stealth funds transfers to US banks: from $500 for a $6,000 account balance, to $1,200 for a $20,000 account balance

Bank login credentials and stealth funds transfers to UK banks: from $700 for a $10,000 account balance, to $900 for a $16,000 account balance

Login credentials for online payment services such as PayPal: between $20 and $50 for account balances from $400 to $1,000; between $200 and $300 for balances from $5,000 to $8,000

Login credentials for online premium content services such as Netflix: as little as $0.55

Payment card data is perhaps the most well-known data type stolen and sold. A basic offering includes a software-generated, valid number that combines a primary account number, an expiration date, and a CVV2 number.

Valid credit card number generators can be purchased or found for free online. Prices rise based on additional information that allows criminals to accomplish more things with the core data.

This includes data such as the bank account ID number, the victim’s date of birth, and information categorised as “Fullzinfo”, including the victim’s billing address, PIN number, social security number, date of birth, the mother’s maiden name, and even the username and password used to access, manage, and alter the cardholder’s account online.

The following graph illustrates the average credit and debit card account sales prices across regions based on the combination of information made available:

Online payment service accounts – like PayPal accounts for example – are also sold on the open market, with their prices determined by additional factors.

However, these factors are considerably more limited than those of payment cards, with the available account balance the only defining factor influencing prices, according to the report:

The report claims that illegal sellers list adverts in the same way as any legitimate seller would – offering guarantees on stolen credit cards – and forums name and shame "bad sellers" who have sold stolen cards that don’t have offer up what was promised

“Like any unregulated, efficient economy, the cybercrime ecosystem has quickly evolved to deliver many tools and services to anyone aspiring to criminal behaviour,” said Raj Samani, chief technology officer for Intel Security in Europe, the Middle East and Africa.

“This ‘cybercrime-as-a-service’ marketplace has been a primary driver for the explosion in the size, frequency, and severity of cyber attacks. The same can be said for the proliferation of business models established to sell stolen data and make cybercrime pay.”

Payment card data is the most well-known data type stolen and sold Photo: Alamy

The news coincides with the publication of new figures from the Office for National Statistics, showing that cyber crime is now the UK's most common offence, with 2.5m incidents in the last year.

Cyber crime was previously excluded from official statistics but its inclusion in this latest report has resulted in an overall surge in crime rates of 107 pc - over double.

The most common cyber crimes, offences committed under the Computer Misuse Act, were where the victim's device was infected by a virus.